CVE-2024-37168 - OpenCVE

@grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to versions 1.10.9, 1.9.15, and 1.8.22, there are two separate code paths in which memory can be allocated per message in excess of the `grpc.max_receive_message_length` channel option: If an incoming message has a size on the wire greater than the configured limit, the entire message is buffered before it is discarded; and/or if an incoming message has a size within the limit on the wire but decompresses to a size greater than the limit, the entire message is decompressed into memory, and on the server is not discarded. This has been patched in versions 1.10.9, 1.9.15, and 1.8.22.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://github.com/grpc/grpc-node/commit/08b0422dae56467ecae1007e899efe66a8c4a650
https://github.com/grpc/grpc-node/commit/674f4e351a619fd4532f84ae6dff96b8ee4e1ed3
https://github.com/grpc/grpc-node/commit/a8a020339c7eab1347a343a512ad17a4aea4bfdb
https://github.com/grpc/grpc-node/security/advisories/GHSA-7v5v-9h63-cj86
https://nvd.nist.gov/vuln/detail/CVE-2024-37168
https://www.cve.org/CVERecord?id=CVE-2024-37168

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-06-10T21:32:06.403Z

Updated: 2024-08-02T03:50:55.550Z

Reserved: 2024-06-03T17:29:38.330Z

Link: CVE-2024-37168

Vulnrichment

Updated: 2024-08-02T03:50:55.550Z

NVD

Status : Awaiting Analysis

Published: 2024-06-10T22:15:12.433

Modified: 2024-06-11T13:54:12.057

Link: CVE-2024-37168

Redhat

Severity : Moderate

Publid Date: 2024-06-10T00:00:00Z

Links: CVE-2024-37168 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-37168", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-06-03T17:29:38.330Z", "datePublished": "2024-06-10T21:32:06.403Z", "dateUpdated": "2024-08-02T03:50:55.550Z"}, "containers": {"cna": {"title": "@grpc/grpc-js can allocate memory for incoming messages well above configured limits", "problemTypes": [{"descriptions": [{"cweId": "CWE-789", "lang": "en", "description": "CWE-789: Memory Allocation with Excessive Size Value", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/grpc/grpc-node/security/advisories/GHSA-7v5v-9h63-cj86", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/grpc/grpc-node/security/advisories/GHSA-7v5v-9h63-cj86"}, {"name": "https://github.com/grpc/grpc-node/commit/08b0422dae56467ecae1007e899efe66a8c4a650", "tags": ["x_refsource_MISC"], "url": "https://github.com/grpc/grpc-node/commit/08b0422dae56467ecae1007e899efe66a8c4a650"}, {"name": "https://github.com/grpc/grpc-node/commit/674f4e351a619fd4532f84ae6dff96b8ee4e1ed3", "tags": ["x_refsource_MISC"], "url": "https://github.com/grpc/grpc-node/commit/674f4e351a619fd4532f84ae6dff96b8ee4e1ed3"}, {"name": "https://github.com/grpc/grpc-node/commit/a8a020339c7eab1347a343a512ad17a4aea4bfdb", "tags": ["x_refsource_MISC"], "url": "https://github.com/grpc/grpc-node/commit/a8a020339c7eab1347a343a512ad17a4aea4bfdb"}], "affected": [{"vendor": "grpc", "product": "grpc-node", "versions": [{"version": ">= 1.10.0, < 1.10.9", "status": "affected"}, {"version": ">= 1.9.0, < 1.9.15", "status": "affected"}, {"version": "< 1.8.22", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-10T21:32:06.403Z"}, "descriptions": [{"lang": "en", "value": "@grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to versions 1.10.9, 1.9.15, and 1.8.22, there are two separate code paths in which memory can be allocated per message in excess of the `grpc.max_receive_message_length` channel option: If an incoming message has a size on the wire greater than the configured limit, the entire message is buffered before it is discarded; and/or if an incoming message has a size within the limit on the wire but decompresses to a size greater than the limit, the entire message is decompressed into memory, and on the server is not discarded. This has been patched in versions 1.10.9, 1.9.15, and 1.8.22.\n"}], "source": {"advisory": "GHSA-7v5v-9h63-cj86", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "grpc", "product": "grpc", "cpes": ["cpe:2.3:a:grpc:grpc:1.10.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1.10.0", "status": "affected", "lessThan": "1.10.9", "versionType": "custom"}, {"version": "1.9.0", "status": "affected", "lessThan": "1.9.15", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "1.8.22", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-11T14:03:13.988919Z", "id": "CVE-2024-37168", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-11T14:05:45.075Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:50:55.550Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/grpc/grpc-node/security/advisories/GHSA-7v5v-9h63-cj86", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/grpc/grpc-node/security/advisories/GHSA-7v5v-9h63-cj86"}, {"name": "https://github.com/grpc/grpc-node/commit/08b0422dae56467ecae1007e899efe66a8c4a650", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/grpc/grpc-node/commit/08b0422dae56467ecae1007e899efe66a8c4a650"}, {"name": "https://github.com/grpc/grpc-node/commit/674f4e351a619fd4532f84ae6dff96b8ee4e1ed3", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/grpc/grpc-node/commit/674f4e351a619fd4532f84ae6dff96b8ee4e1ed3"}, {"name": "https://github.com/grpc/grpc-node/commit/a8a020339c7eab1347a343a512ad17a4aea4bfdb", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/grpc/grpc-node/commit/a8a020339c7eab1347a343a512ad17a4aea4bfdb"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/grpc/grpc-node/security/advisories/GHSA-7v5v-9h63-cj86", "name": "https://github.com/grpc/grpc-node/security/advisories/GHSA-7v5v-9h63-cj86", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/grpc/grpc-node/commit/08b0422dae56467ecae1007e899efe66a8c4a650", "name": "https://github.com/grpc/grpc-node/commit/08b0422dae56467ecae1007e899efe66a8c4a650", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/grpc/grpc-node/commit/674f4e351a619fd4532f84ae6dff96b8ee4e1ed3", "name": "https://github.com/grpc/grpc-node/commit/674f4e351a619fd4532f84ae6dff96b8ee4e1ed3", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/grpc/grpc-node/commit/a8a020339c7eab1347a343a512ad17a4aea4bfdb", "name": "https://github.com/grpc/grpc-node/commit/a8a020339c7eab1347a343a512ad17a4aea4bfdb", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:50:55.550Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-37168", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-11T14:03:13.988919Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:grpc:grpc:1.10.0:*:*:*:*:*:*:*"], "vendor": "grpc", "product": "grpc", "versions": [{"status": "affected", "version": "1.10.0", "lessThan": "1.10.9", "versionType": "custom"}, {"status": "affected", "version": "1.9.0", "lessThan": "1.9.15", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "1.8.22", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-11T14:05:40.662Z"}}], "cna": {"title": "@grpc/grpc-js can allocate memory for incoming messages well above configured limits", "source": {"advisory": "GHSA-7v5v-9h63-cj86", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "grpc", "product": "grpc-node", "versions": [{"status": "affected", "version": ">= 1.10.0, < 1.10.9"}, {"status": "affected", "version": ">= 1.9.0, < 1.9.15"}, {"status": "affected", "version": "< 1.8.22"}]}], "references": [{"url": "https://github.com/grpc/grpc-node/security/advisories/GHSA-7v5v-9h63-cj86", "name": "https://github.com/grpc/grpc-node/security/advisories/GHSA-7v5v-9h63-cj86", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/grpc/grpc-node/commit/08b0422dae56467ecae1007e899efe66a8c4a650", "name": "https://github.com/grpc/grpc-node/commit/08b0422dae56467ecae1007e899efe66a8c4a650", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/grpc/grpc-node/commit/674f4e351a619fd4532f84ae6dff96b8ee4e1ed3", "name": "https://github.com/grpc/grpc-node/commit/674f4e351a619fd4532f84ae6dff96b8ee4e1ed3", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/grpc/grpc-node/commit/a8a020339c7eab1347a343a512ad17a4aea4bfdb", "name": "https://github.com/grpc/grpc-node/commit/a8a020339c7eab1347a343a512ad17a4aea4bfdb", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "@grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to versions 1.10.9, 1.9.15, and 1.8.22, there are two separate code paths in which memory can be allocated per message in excess of the `grpc.max_receive_message_length` channel option: If an incoming message has a size on the wire greater than the configured limit, the entire message is buffered before it is discarded; and/or if an incoming message has a size within the limit on the wire but decompresses to a size greater than the limit, the entire message is decompressed into memory, and on the server is not discarded. This has been patched in versions 1.10.9, 1.9.15, and 1.8.22.\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-789", "description": "CWE-789: Memory Allocation with Excessive Size Value"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-10T21:32:06.403Z"}}}, "cveMetadata": {"cveId": "CVE-2024-37168", "state": "PUBLISHED", "dateUpdated": "2024-08-02T03:50:55.550Z", "dateReserved": "2024-06-03T17:29:38.330Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-06-10T21:32:06.403Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "@grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to versions 1.10.9, 1.9.15, and 1.8.22, there are two separate code paths in which memory can be allocated per message in excess of the `grpc.max_receive_message_length` channel option: If an incoming message has a size on the wire greater than the configured limit, the entire message is buffered before it is discarded; and/or if an incoming message has a size within the limit on the wire but decompresses to a size greater than the limit, the entire message is decompressed into memory, and on the server is not discarded. This has been patched in versions 1.10.9, 1.9.15, and 1.8.22.\n"}, {"lang": "es", "value": "@grpc/grps-js implementa la funcionalidad principal de gRPC exclusivamente en JavaScript, sin un complemento de C++. Antes de las versiones 1.10.9, 1.9.15 y 1.8.22, existen dos rutas de c\u00f3digo separadas en las que se puede asignar memoria por mensaje que exceda la opci\u00f3n de canal `grpc.max_receive_message_length`: si un mensaje entrante tiene un tama\u00f1o en el cable es mayor que el l\u00edmite configurado, todo el mensaje se almacena en el b\u00fafer antes de descartarlo; y/o si un mensaje entrante tiene un tama\u00f1o dentro del l\u00edmite del cable pero se descomprime a un tama\u00f1o mayor que el l\u00edmite, el mensaje completo se descomprime en la memoria y no se descarta en el servidor. Esto se ha parcheado en las versiones 1.10.9, 1.9.15 y 1.8.22."}], "id": "CVE-2024-37168", "lastModified": "2024-06-11T13:54:12.057", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-06-10T22:15:12.433", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/grpc/grpc-node/commit/08b0422dae56467ecae1007e899efe66a8c4a650"}, {"source": "security-advisories@github.com", "url": "https://github.com/grpc/grpc-node/commit/674f4e351a619fd4532f84ae6dff96b8ee4e1ed3"}, {"source": "security-advisories@github.com", "url": "https://github.com/grpc/grpc-node/commit/a8a020339c7eab1347a343a512ad17a4aea4bfdb"}, {"source": "security-advisories@github.com", "url": "https://github.com/grpc/grpc-node/security/advisories/GHSA-7v5v-9h63-cj86"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-789"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "grps-js: allocate memory for incoming messages well above configured limits", "id": "2292036", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2292036"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-789", "details": ["@grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to versions 1.10.9, 1.9.15, and 1.8.22, there are two separate code paths in which memory can be allocated per message in excess of the `grpc.max_receive_message_length` channel option: If an incoming message has a size on the wire greater than the configured limit, the entire message is buffered before it is discarded; and/or if an incoming message has a size within the limit on the wire but decompresses to a size greater than the limit, the entire message is decompressed into memory, and on the server is not discarded. This has been patched in versions 1.10.9, 1.9.15, and 1.8.22.", "A flaw was found in grps-js, which implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to versions 1.10.9, 1.9.15, and 1.8.22, there are two separate code paths in which memory can be allocated per message in excess of the `grpc.max_receive_message_length` channel option. If an incoming message has a size on the wire greater than the configured limit, the entire message is buffered before it is discarded. If an incoming message has a size within the limit on the wire but decompresses to a size greater than the limit, the entire message is decompressed into memory, and on the server is not discarded. This issue has been patched in versions 1.10.9, 1.9.15, and 1.8.22."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-37168", "package_state": [{"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Will not fix", "package_name": "openresty", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Will not fix", "package_name": "rhdh-hub-container", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Not affected", "package_name": "rhdh-operator-container", "product_name": "Red Hat Developer Hub"}], "public_date": "2024-06-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-37168\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-37168\nhttps://github.com/grpc/grpc-node/security/advisories/GHSA-7v5v-9h63-cj86"], "threat_severity": "Moderate"}